This is another finding in Unifi Controller.
I have found a persistent xss vulnerability on Unifi Controller that allows attackers steal user’s cookies, do csrf attacks against victim account or do phishing attacks. This vulnerability occurs due the page allows svg attachments that contains “xmlns=http://www.w3.org/1999/xhtml”, then the page will render the content of the xml as html , so resulting on a xss vulnerability.
Many of the websites now allow svg files to be uploaded under images category . But did they filtered the content of svg file before placing it on the server ? The answer is ummm…? . To verify this answer what i did is created a svg file with a XSS vector below and started testing the websites that allow images.
<svg xmlns="http://www.w3.org/2000/svg" viewbox="-1 -1 15 15"> <rect y="0" height="13" width="12" stroke="#179" rx="1" fill="#2ac"/> <text x="1.5" y="11" font-family="courier" stroke="white" font-size="16"><![CDATA[B]]></text> <iframe srcdoc="<script>alert('XSSED => Domain('+top.document.domain+')');</script>"></iframe> </svg>
1). While logged on unifi controller go to https://localhost:8443/manage/site/urrhpg78/maps
2). In image upload the poc.svg 3). After click in “Upload File”. 4). After uploading the file open image.
2). In image upload the poc.svg
3). After click in “Upload File”.
4). After uploading the file open image.
5). See the xss alert.
I found the same bug in some other Applications you can have a look at Jasminder Pal Singh blog. This bug is also affecting demo.ubnt.com
A simple fix for this vulnerability is blocking SVG files upload, in case this isn’t possible a good method is interpret the SVG file, don’t allowing the upload if it contains HTML or invalid tags.
Exploit Scenario:Like in the https://www.guptashubham.com/stored-xss-in-unifi-v4-8-12-controller this attack would require valid admin credentials, so a this will be viable just to one admin attack another.
Big Thanks to @93c08539 for the bounty 🙂 and helping me alot.